On Wed, Mar 16, 2005 at 10:04:30AM -0500, Ron Gula wrote:
> Tenable does get
> contacted by many equipment manufacturers who have scanning
> outages and we make tweaks to the NASL checks to avoid these
> crashes.
Just an anecdote about that: some vendor sent us an email asking to
modify Nessus to prevent it from connecting to port 1703 (or something)
because it crashed their application (just a full tcp handshake would
crash it), and they could not modify it to fix the bug (I call that
"outsourcing gone bad").
Another vendor routintely blames Nessus for the death of their backup
agent. Once again, we're just talking about a full TCP handshake and
possibly an http 'GET' request to the port.
I personnally find apalling that in 2005, vendors take such a route to
"fix" security issues.
The bottom line is that any active scanner (even just a port scanner)
can and will crash some services or devices. The reason is very simple:
the scanner interacts with another piece of software, and if the other
piece of software has not been written in a very solid way, then that
little talk triggers bugs which result in a crash.
This is why we have developped NeVO (as Ron mentionned) as well as the
local security checks (if you only enable the local checks, Nessus only
logs into the remote host and perform a bunch of local operations).
That's also why the local checks can be used to avoid doing a port scan
(use the 'netstat' scanner).
What we observed is that the most sensitive systems are the ones which
are never audited - an interesting but sad paradox indeed.
-- Renaud
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
